User postfix refuses to run sa-learn

Glenn Steen glenn.steen at gmail.com
Sun Sep 16 20:57:41 IST 2007 

On 16/09/2007, Martin Wickman <martin.wickman at xms.se> wrote:
> Glenn Steen wrote:
> > On 16/09/2007, Martin Wickman <martin.wickman at xms.se> wrote:
> >> Glenn Steen wrote:
>
> [..]
>
> >> Ok, thanks for you help, but I dont think that is the problem. The
> >> problem is that postfix owns the bayes-files and the postfix-software
> >> dont want to run scripts as the postfix user. pipe(8) explains this as
> >> "The software refuses to execute commands  with  root  privileges,
> >> or with  the  privileges of the mail system owner."
> > Ah. Yes. Might be a problem:-D. So then a rethink might be in order.
> > Why not just let procmail or a cron job handle it?
>
> Yeah I thought about that, but the problem is still there (I think?).
> Only the postfix user can update the bayes data and it wont help much
> having procmail do it.
>
... run in gw-mode, as the PF user...?

> Do you think it is possible to change MailScanner.conf in some way, ie
> to have a separate SA-user which is not 'postfix'? As it is now "Run As
> User" is postfix and maybe it's possible to change something here, akin
> to "Quarantine User"?

You could use another Run As Group, I guess.... Like for clamav (and a
little like one does for MailWatch... apache group, in that case...
Then specify a user:group accordingly... I think pipe will fall back
to the group...).

> > Procmail should be fairly easy, provided you have it already... well,
> > even if you don't:-).
> > Or running a cronjob that "plunders" the spam mailbox (which would
> > need be a real mailbox) and run the script on the messages... should
> > be fairly easy too. I'm sure there are others that have done something
> > like that before, perhaps even documented it (haven't checked the
> > wiki)...
>
> Thought of that too, but there is the issue with forwarded spammails.
> That is, attached mails needs to be splitted into single mails before
> se-learn can grok them correctly. Also, having to run sa-learn on the
> whole corpus all the time seems wasteful.
>
Don't you have that problem anyway?

> >> Btw, the setup is taken from
> >> http://www.jousset.org/pub/sa-postfix.en.html if you want de details.
> >> Thats site is off-line or something, but google has working cache:
> >> http://www.google.com/search?q=cache:S0-FoGYZSHwJ:www.jousset.org/pub/sa-postfix.en.html+http://www.jousset.org/pub/sa-postfix.en.html&hl=en&ct=clnk&cd=1&gl=se&client=firefox-a
> >>
> > Too tired to go look, perhaps tomorrow:).
>
> Please do :-)
>
Tomorrow... Morgonstund har guld i mun(d):-):-).

> [..]
>
> >> For the record, running as a non-root, not-postfix user gives this error
> >> as expected:
> >>
> >> $ sa-learn --forget /tmp/spamish
> >> bayes: expire_old_tokens: locker: safe_lock: cannot create lockfile
> >> /var/spool/MailScanner/spamassassin/bayes.mutex: Permission denied
> >> Forgot tokens from 0 message(s) (1 message(s) examined)
> >> bayes: locker: safe_lock: cannot create lockfile
> >> /var/spool/MailScanner/spamassassin/bayes.mutex: Permission denied
> >
> > As expected... One wonders what would happen if you played a bit with
> > the script and the "sticky bit".... A "non-PF script" calls the sticky
> > "PF script"...;-)
>
> Dunno, didn't think script could be setuid?

I still live in the dark ages... When that was so very easy to do:-):-)

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list